Electronic health information and privacy

July 30, 2010

The East Coast's largest drugstore chain, Rite Aid, settled a Health Insurance Portability and Accountability Act (HIPAA) privacy violation case with the Department of Health and Human Services (HHS) for $1 million.

In an action coordinated with the Federal Trade Commission (FTC), Rite Aid also signed an FTC consent order to settle potential violations of the FTC Act.

The chain was the subject of a complaint by the Office of Civil Rights (OCR) and the FTC when a number of videos recorded by television media stations showed patients' prescriptions and labeled pill bottles being thrown in publicly accessible industrial trash bins in several U.S. cities, according to a statement from HHS.

The drugstores' actions violated HIPAA privacy rules and put patients' health and other personal information at risk, the statement said.

The HIPAA privacy rule requires healthcare providers, health plans, and other related entities to protect patient privacy, including during maintenance and disposal of patient information.

Entities responsible for safeguarding this information must put up reasonable protection, only release proper and necessary information to contractors, and limit who can view and access a patient's health documents.

According to the statement, Rite Aid employees failed to guard information while disposing of it, did not train employees to properly toss the sensitive documents, and failed to sanction staff that improperly handled the items.

July 16, 2010

The federal privacy commissioner was not consulted or briefed on the government's decision to eliminate the compulsory long census form in 2011, despite Conservative claims that Canadians find it an "invasion of privacy."

Privacy Commissioner Jennifer Stoddart's office said Wednesday they received only two complaints about the last census in 2006, and ultimately found that the census process complied with privacy laws.

"Our office has had a good working relationship with StatsCan over the years," said spokeswoman Anne-Marie Hayden

Hayden said any concerns that the office had with either the census questions or the process were resolved in previous years.

Statistics Canada forwards all privacy-related complaints about the census to the privacy commissioner.

Official Languages Commissioner Graham Fraser was also not consulted.

Industry Minister Tony Clement said earlier in the week that he would not be reversing the decision to abandon a mandatory census in favour of a voluntary survey, despite protest from a wide array of groups, high-profile academics and the former chief statistician of Canada.

Liberal industry critic Marc Garneau called for a House of Commons committee to be convened this summer to question Clement about the change.

"By attacking the census, this government is throwing us in the dark on immigration-related issues. They're doing the same for aboriginals, visible minorities and the disabled, and for those arguing for pay equity."

July 14, 2010

COLUMBUS, Ohio - The state of Ohio has collected millions of dollars selling records with your name, address, driver's license number and other personal information so it can be used in all sorts of ways, from crafting insurance policies to screening job candidates.

Since 2005, the Bureau of Motor Vehicles has sold more than 1.39 billion records containing personal information to various companies, municipalities and other customers for about $42 million, according to state records.

Social Security numbers are included in some records sold, but only for verification, meaning the entity purchasing the information proves it already has an individual's correct number.

The state is limited in what it can do to protect Ohioans' personal data. Vitale said information about Ohio drivers is safe in the BMV's hands, but once it is sold the state does not have the resources to monitor further sales.

Two known security breaches have compromised Ohioans' personal information.

The security breaches at LexisNexis underscore a fear that Ohioans' information could end up in the wrong hands.

But Richard Varn of the Coalition for Sensible Public Records Access recently wrote that such anecdotes do not prove the availability of public records leads to identity theft.

The state sells records from driver's licenses, vehicle registrations and titles in bulk for $.00139 each and it sells driver abstracts, which include a driver's history of accidents and violations, for $5.

The price of abstracts, however, was recently increased and sold for $2 for much of the past five years.

Although the driver abstracts account for only a fraction of the records sold -- about 1 percent of the 1.39 trillion -- they account for more than $35 million the state has collected.

July 07, 2010

Divorce attorneys Leslie and Ken Matthews estimate 1 in 10 of their cases involves evidence plucked from social networking sites.

Oversharing on social networks has led to an overabundance of evidence in divorce cases.

The American Academy of Matrimonial Lawyers says 81 percent of its members have used or faced evidence plucked from Facebook, MySpace, Twitter and other social networking sites, including YouTube and LinkedIn, over the last five years.

Sixty-six percent of the lawyers surveyed cited Facebook foibles as the source of online evidence, she said.

About one in five adults uses Facebook for flirting, according to a 2008 report by the Pew Internet and American Life Project.

Think of Dad forcing son to de-friend mom, bolstering her alienation of affection claim against him.

Mom denies in court that she smokes marijuana but posts partying, pot-smoking photos of herself on Facebook.

Divorce attorneys Ken and Leslie Matthews, a husband and wife team in Denver, Colo., don't see quite as many online gems.

"I want you to remember that the judge can read that stuff so never write anything you don't want the judge to hear,'" Viken said.

July 02, 2010

A study out this week from Worcester Polytechnic Institute (WPI) in Massachusetts shows that mobile social networks are giving data about users' physical locations to tracking sites and other social networking services.

Researchers reported that all 20 sites that were studied leaked some kind of private information to third-party tracking sites.

"This initial look at mobile online social networks raises some serious concerns, but there is more work to be done," said Craig Wills, professor of computer science at WPI and a co-author of the study.

"The fact that third-party sites now seem to have the capacity to build a comprehensive and dynamic portrait of mobile online social network users argues for a comprehensive way to capture the entire gamut of privacy controls into a single, unified, simple, easy-to-understand framework, so that users can make informed choices about their online privacy and feel confident that they are sharing their personal, private information only with those they choose to share it with."

"The combination of location information, unique identifiers of devices, and traditional leakage of other personally identifiable information all conspire against protection of users' privacy," the WPI researchers wrote in their report.

Social networking sites like Facebook have come under pressure in recent months to better protect users' private information.

Facebook, for instance, has been criticized not only for creating tools that make it easier to share user information with third-party Web sites, but also for making its privacy controls too difficult to use.

Health and Human Services Commissioner Tom Suehs says state health officials notified his office in early May that a hacker was holding the Texas Cancer Registry hostage and demanding a ransom.

Suehs says preliminary investigation results from the FBI indicate the threat may be a hoax, and officials with the Department of State Health Services, which oversees the cancer registry, say they don't believe the names, dates of birth, Social Security numbers and personal medical information contained in it were stolen.

"This is an incident that makes everybody's antennas go a little bit higher, and I'm using it as an opportunity to elevate our awareness of our responsibility to protect information," Suehs says.

While it's common for state agencies and universities to get hit with computer viruses and other data security breaches --- there are thousands of incidents reported every month, according to state information technology records --- it's very rare for the FBI to be called in to investigate.

Lawmakers, who have left the Health and Human Services Commission's recent requests for information technology upgrades mostly unfunded, say this latest security incident leaves them with no choice but to foot the bill, even in a tougher-than-tough budget cycle.

Information technology upgrades are "a difficult thing to ask for, and it's difficult for the Legislature to prioritize," Suehs says.

Foursquare, one of the net's hottest startups, got an unwanted message on June 20 from a white-hat hacker: it was leaking user data on a massive scale in plain violation of its privacy policy.

The company asked the white hat, Jesper Andersen, to give it nine days to deal with the problem that it was publishing all users' location data to the entire web despite its privacy-policy promise to users that "You can opt out of such broadcasts through your privacy settings."

At the same time, the company was wrapping up a protracted and very public finance round that stalled for a while as the company reportedly almost sold itself to Facebook.

So when the nine days were up, the company told Andersen in a private e-mail Tuesday morning that it had fixed the "privacy leak" (the company's own words) by modifying how an existing privacy setting worked, and that it had no solution yet for two other privacy holes that Andersen also reported, saying it was trying to figure out how to balance usability with privacy.

As for its blog, the only thing the company disclosed Tuesday was that it had closed a monster round of financing: $20 million in venture capital from some of the hottest investors in the country.

[The company did not] contact users to tell them that it had found and sort-of fixed a hole in its service that violated the promises it had made to users.

The company also didn't respond to two separate e-mails from Wired.com Monday and Tuesday, asking for comment.

And to the company's benefit, the news cycle focused on what Foursquare board member and venture capital investor Bryce Roberts tweeted as "the wire transfer heard 'round the world."

Even after Wired.com's story on the breach ran Tuesday, the company had no reaction to the news of the breach.

The company's blog trumpeted its big funding, with links to its new office and entreaties for programmers to apply for a job, saying, "Look forward to more great product from us soon ...

In response to a follow-up e-mail Wednesday morning, Foursquare's PR manager Erin Gleason said the company had been "swamped for the past couple of days preparing for yesterday's announcement, and your message was buried in my inbox."

Foursquare had nine days to write a simple blog post, acknowledging the hole, explaining the fix and telling users they could opt out in the future and giving credit to Andersen.

But the company didn't do any of those things.

From that it's clear to see that Foursquare isn't focused on its privacy practices, and seems to be ignorant of the consequences of violating its privacy promises to users.

That's the kind of thing that gets companies investigated by the FTC. Twitter just had to settle with the FTC over its overblown promises to users that it would keep their accounts secure --- promises that were shown to be false by repeated account hijackings.

It's also not clear if Foursquare informed their investors of the breach before the checks got cashed.

On Wednesday morning, Wired.com wrote Foursquare, as well as several of its investors, to find out if the company had told the investors about the breach, and why the company hadn't told users.

In response, Foursquare said that its engineer made a change to the site that randomized user pictures (effectively killing the scraping method) and pushed the change live last Thursday, but that the engineer didn't write Andersen until Tuesday, just prior to Wired.com's story.

However, that e-mail didn't mention anything about randomization, and simply said that the privacy opt-out would work differently.

On Wednesday morning, however, prior to Foursquare's response, Andersen wrote Wired.com to report that the site was acting differently.

Frat parties and free music have been among the perks of attending college in the United States during the past decade.

But now the days of using fat campus bandwidth to download movies and music via file-sharing networks appear to be coming to an end.

HEOA, which was backed by the movie and music industries, addresses a lot of different facets of higher education, but tucked in there are provisions that require schools to adhere to guidelines on illegal file sharing.

In the past year, schools across the country have tried to comply by implementing new procedures and technologies.

At the University of Kansas, for instance, once campus officials receive a notice that accuses a student of illegally sharing music or movies, they suspend Web privileges for that student.

Cary Sherman, president of the Recording Industry Association of America, said that many schools were already cracking down on piracy, but some schools dragged their feet.

College campuses are really the birthplace of file sharing. When Napster came out, it was university students, likely to be more tech savvy and have Internet access, who helped get the word out about the pioneer service.

On Wednesday, federal law enforcement officials seized nine sites in question and confiscated assets belonging to the site operators. Those sites included Movies-Links.tv, Now-Movies.com, TVShack.net, Filespump.com, Planetmoviez.com, ZML.com, ThePirateCity.org, Ninjavideo.net, and NinjaThis.net.

Athenahealth is a high-flier in the Boston business community, led by the outspoken and forceful Jonathan Bush.

Bush, however, openly admits that his Watertown, MA-based company (NASDAQ:ATHN) is relatively unknown outside of local business and technology circles---including among most U.S. physicians.

Athena has been ramping up efforts to raise its profile among doctors, the target audience for its Internet-enabled billing and electronic health records services.

About 16,400 physicians currently use Athena's Internet software and services to manage their billing, and a goal of the company's marketing is to grow its customer base to 100,000 doctors.

To reach that target number, Athena is spending money on measures to get doctors to warm up to the firm's relatively new concept of charging customers at a rate that fluctuates depending on how well its billing system performs for them.

Doctors are notoriously hesitant to adopt new technologies like Athena's.

Also, the company will have trouble matching the marketing might of its larger competitors such as GE Healthcare, Allscripts-Misys Healthcare, and Siemens Medical Solutions.

Allscripts, for example, has about 10 times as many physician customers as Athena and more salespeople beating the pavement to grow that user base further still, says George Hill, an analyst for Leerink Swann, a Boston-based investment bank and equities research firm.

Another challenge for Athena, he adds, is to convince larger medical provider organizations to agree to the same pricing structures that the company has been able to use with small- and mid-sized doctors practices.

Athena typically charges its customers between 4 and 8 percent of their billing revenue, he says, depending on the number of services a customer is getting from the company.

Athena is in a race with competitors to grow its tiny share of the electronic health records market.

As part of federal stimulus passed last year, the U. S. government plans to spend $17 billion to provide Medicare and Medicaid incentives to doctors who adopt electronic health records under certain guidelines known as "Meaningful Use," beginning in 2011.

Athena launched its electronic health record (EHR) offering in late 2007 and as of March 31 had fewer than 2,000 physicians using the software to store their patients' medical information.

Still, Athena is able to get new users started on its Internet-based system quickly, in part because doctors don't have to load the software onto their own computers or train their own IT staff to maintain it, John Hallock, a company spokesman, says.

To compete with larger firms in the EHR game, Athena has been trying to allay the concerns of many physicians that they will ultimately end up losing money by deploying the records systems.

Bush says that Athena might be able to halve the amount that physicians pay to use its EHR if they participate in what is now a nascent effort at the company called "AthenaCommunity."

Athena's EHR customers who opt to share their patients' data with other providers would pay a discounted rate to use Athena's health record software.

Athena would be able to make money with the patient data by charging, say, a hospital a small fee to access a patient's insurance and medical information from Athena's network.

For a hospital's part, this might be cheaper than paying its own staff to gather a patient's information through standard intake procedures.

Hallock, Athena's spokesman, says the community is in development and is slated to launch later this year.